I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Now it’s clear the attack is no longer theoretical: At least one group of hotels in Houston was hit with a series of break-ins in September that used the lock-opening device to steal valuables from guests’ rooms, as I reported Monday.

Since I first began digging into this story in July, readers have asked what they can do to protect themselves and their possessions when staying in a hotel using Onity’s locks. So I turned for advice to Cody Brocious, the hacker who first brought this vulnerability to light, as well as others who have tracked this security mess. Here are their recommendations.

1. Ask the hotel if they’ve implemented Onity’s fix. Onity is offering its customers free plastic plugs to cover the vulnerable port on the bottom of their locks, which can only be removed by opening the locks’ case with a screwdriver. And for those hotels willing to shell out for a complete fix, Onity also offers replacement circuit boards that aren’t vulnerable to Brocious’s attack. It’s not clear, however, how many hotels have put either of those fixes into place–or are even aware of them. Calling hotel management ahead of your stay to ask which locks they use and whether they’ve implemented Onity’s new measures will give you a sense of their security, and help nudge them towards securing their locks if they haven’t already.

2. Use the door bolt or chain. This is the obvious one: Latching bolt above the lock on your door makes the attack on Onity’s locks irrelevant–at least when you’re in the room. Don’t depend, however, on the deadbolt alone, which in many cases is part of the keycard lock’s mechanism and can be opened with Brocious’s hacking tool.

3. Use the room safe. If your room has a safe, put your valuables in it when you leave. Though Brocious warns that those safes may have their own security flaws–some are also built by Onity–they would likely provide enough of a barrier to any thief that he or she would move on to the next room instead.

4. Use tamper-evident tape. It may be tempting to stick a wad of chewing gum in the port on the bottom of Onity’s locks. But Brocious suggests a less damaging method of keeping thieves from accessing the lock’s innards: Bring your own roll of tamper evident tape like this, and leave a strip across the bottom of the lock. It won’t actually block someone from using the port, but it will give you a heads-up if someone has. Thieves might prefer to move on to the next target rather than risk leaving behind a clue that could alert a hotel to break-ins.

5. Leave your valuables at the front desk, or don’t travel with them. Todd Seiders, director of risk management at the hospitality insurance firm Petra Risk Solutions, has tracked Onity’s imbroglio from the start. But he says it’s still far more likely that a hotel’s housekeeping staff would steal your valuables than a lock hacker. That means every hotel room should be treated as insecure, regardless of what locks it uses. So ask the front desk to put that Rolex or family heirloom in their safe. Or better yet, leave it at home.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.